flowstudio-power-automate-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it instructs the agent to process and act upon potentially untrusted data from external flow run outputs and definitions.
- Ingestion points: Data enters the context via
get_live_flow_run_action_outputsandget_live_flowas described inSKILL.mdandreferences/tool-reference.md. - Boundary markers: Absent. The skill provides no instructions to isolate or ignore instructions that might be embedded within the flow definitions or action outputs.
- Capability inventory: The agent is granted the ability to modify flow logic (
update_live_flow), trigger executions (trigger_live_flow), and manage runs (cancel_live_flow_run,resubmit_live_flow_run). - Sanitization: Absent. The skill encourages the agent to use fetched action outputs to programmatically adjust flow expressions and definitions without validation.
- [DATA_EXFILTRATION]: The skill facilitates the transmission of sensitive Power Platform data, including environment configurations, connection references, and full flow definitions (which may contain proprietary logic or sensitive parameters), to an external service endpoint at
mcp.flowstudio.app. - [COMMAND_EXECUTION]: The skill provides Python and Node.js implementation patterns that execute network requests using standard libraries (
urllib.requestandfetch). These patterns are intended for the agent to communicate with the external MCP server to perform administrative tasks in the Power Platform environment.
Audit Metadata